Search:   Namespaces Discussions .NET v1.1 Feedback

Why web.config for Connection strings? Messages   Related Types This message was discovered on ASPFriends.com 'aspngarchitecture' list. Responses highlighted in red are from those people who are likely to be able to contribute good, authoratitive information to this discussion. They include Microsoft employees, MVP's and others who IMHO contribute well to these kinds of discussions. Bryan Andrews -- Moved from [aspngconfig] to [aspngarchitecture] by Yannick Smits <Click here to reveal e-mail address> -- I am just curious as to why the web.config seems to be the place of = choice for connection strings? It is one of the few files in the application that is not compiled and = thus not as secure (right?). Am I missing something? What is better about putting your connection = string there rather than in a component? It's not like you are changing them all the time... Thanks for any thoughts. Reply to this message...        Raghavendra Ural Say, you have a product, which you need to deploy. What will you do for the server name, user name and password that forms your connection string. Do you restrict the user to use to the name/passwords predefined in your component? Or you give him the option of giving his server name,username and password? If you want to give such options, then you have to go for setting connection string in your web.config file. I hope I have cleared your doubt. rgds Ural Bryan Andrews wrote: [Original message clipped] Reply to this message...        Chris Anderson My guess is: 1. web.config cannot be downloaded and so is as secure as the compiled source from the point of view of the site visitor 2. putting it in the source wouldn't be any more secure anyway (a literal string in IL isn't well hidden) 3. although it's not something that gets changed often, it has potential to need change (especially for sites which you deploy in multiple locations (intranets, etc) 4. If you logged in using the UID and PWD in the web.config file, you *should* only have as much access as the application does...assuming the application doesn't use the sa login <bg> 5. If the security of the method bothers you you can always compile in the UID and PWD portions of the connection string, and put the rest in the web.config (allowing the server to be moved, etc) But of course that then forces the uid and pwd for the app to be fixed (which some sysadmins don't like..developers knowing the database password) Merak [Original message clipped] Reply to this message...        Steven A Smith (VIP) And when you deploy from your dev system with dev database to your production system with production database you don't have to recompile to change the connection string. Steve Steven Smith, MCSE+Internet, Microsoft MVP: ASP.NET Click here to reveal e-mail address President, ASPAlliance.com http://aspalliance.com The #1 ASP.NET Community http://aspsmith.com ASP.NET Training for ASP Developers Learning ASP.NET? Get My Book: ASP.NET By Example http://amazon.com/exec/obidos/ASIN/0789725622/stevenatorasp/ ----- Original Message ----- From: "Chris Anderson" <Click here to reveal e-mail address> To: "aspngarchitecture" <Click here to reveal e-mail address> Sent: Tuesday, June 25, 2002 5:26 AM Subject: [aspngarchitecture] RE: Why web.config for Connection strings? [Original message clipped] Reply to this message...        Martin Garins You can also use a trusted connection when using SQL Server. Then the password is not shown anywhere in code or configuration files Of course you would then have to change the anonymous user for the website and allow impersonation in the machine.config file. Or you could also create a Serviced Component and stick in COM+ as a Server application and have that application run as a specific user and again your connection string uses a trusted connection. Martin Garins, MCSD Vice President - Technology e-Intersect Corp. http://www.e-intersect.com http://www.jppex.com -----Original Message----- From: Steven A Smith [mailto:Click here to reveal e-mail address]=20 Sent: Tuesday, June 25, 2002 6:47 AM To: aspngarchitecture Subject: [aspngarchitecture] RE: Why web.config for Connection strings? And when you deploy from your dev system with dev database to your production system with production database you don't have to recompile to change the connection string. Steve Steven Smith, MCSE+Internet, Microsoft MVP: ASP.NET Click here to reveal e-mail address President, ASPAlliance.com http://aspalliance.com The #1 ASP.NET Community http://aspsmith.com ASP.NET Training for ASP Developers Learning ASP.NET? Get My Book: ASP.NET By Example http://amazon.com/exec/obidos/ASIN/0789725622/stevenatorasp/ ----- Original Message ----- From: "Chris Anderson" <Click here to reveal e-mail address> To: "aspngarchitecture" <Click here to reveal e-mail address> Sent: Tuesday, June 25, 2002 5:26 AM Subject: [aspngarchitecture] RE: Why web.config for Connection strings? [Original message clipped] | [aspngarchitecture] member Click here to reveal e-mail address =3D YOUR ID=20 | http://www.asplists.com/asplists/aspngarchitecture.asp =3D JOIN/QUIT=20 | http://www.asplists.com/search =3D SEARCH Archives Reply to this message...     Ad MBR BootFX Best-of-breed application framework for .NET projects, developed by Matthew Baxter-Reynolds and MBR IT

Copyright © Matthew Baxter-Reynolds 2001-2008. '.NET 247 Software Development Services' is a trading style of MBR IT Solutions Ltd. Contact Us - Terms of Use - Privacy Policy - www.dotnet247.com